1.2.420. Encoded Simple Letters¶
Some simple letters are written in escape sequence.
Usually, escape sequences are made to encode unusual characters. Using escape sequences for simple characters, like letters or numbers is suspicious.
This analysis also detects Unicode codepoint with superfluous leading zeros.
<?php
// This escape sequence makes eval hard to spot
$a = "ev\101l";
$a('php_info();');
// With a PHP 7.0 unicode code point sequence
$a = "ev\u{000041}l";
$a('php_info();');
// With a PHP 5.0+ hexadecimal sequence
$a = "ev\x41l";
$a('php_info();');
?>
1.2.420.1. Suggestions¶
Make all simple letter appear clearly
Add comments about why this code is encoded
1.2.420.2. Specs¶
Short name |
Security/EncodedLetters |
Rulesets |
|
Exakat since |
0.10.5 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
Very high |
Features |
string-sequence |
Examples |
|
Available in |